Sorry for not conforming to the list standards, I am on my mobile. Logins taking a long time is advantageous, remember we are not a primitive/chatty protocol like HTTP; so burning CPU cycles during a login is a VERY small problem; people often forget that we are not in the same realm of HTTP. The advantage mentioned is that: more time to verify a password = less brute operations per second = more time for an admin to notice.
-----Original Message----- From: Simon Josefsson <[email protected]> Sent: 17 December 2009 03:35 PM To: Jabber/XMPP software development list <[email protected]> Subject: Re: [jdev] plaintext passwords hack Peter Saint-Andre <[email protected]> writes: > On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote: >> I'm curious what the community makes of the recent news >> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ >> given SASL's cleartext password storage? It seems like a monster breech. > > This topic is more appropriate for the [email protected] list, but here > goes anyway... > > We've had these debates for years. And this is not tied to SASL, but if > you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN > over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to > have hashed passwords. If you don't store the hashed password for SCRAM, you need to burn CPU time for every login to derive the SCRAM hash keys. That doesn't scale well. /Simon _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________ _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
